search

kpcyrd / spotify-launcher

Client for spotify's apt repository in Rust for Arch Linux
Other
192 stars 15 forks source link

Missing key E27409F51D1B66337F2D2F417A3A762FAFD4A51F #18

Closed ugjka closed 1 year ago

ugjka commented 1 year ago 
[2023-01-17T13:11:45Z INFO  spotify_launcher::config] Loading configuration file at "/etc/spotify-launcher.conf"
[2023-01-17T13:11:45Z INFO  spotify_launcher::apt] Downloading release file...
[2023-01-17T13:11:45Z INFO  spotify_launcher::apt] Downloading signature...
[2023-01-17T13:11:45Z INFO  spotify_launcher::apt] Verifying pgp signature...
Missing key E27409F51D1B66337F2D2F417A3A762FAFD4A51F, which is needed to verify signature.
Error: Verification of pgp signature didn't succeed
tmewett commented 1 year ago

(FYI you can run spotify-launcher --skip-update to launch in the meantime.)

kpcyrd commented 1 year ago

I can reproduce this, according to the install instructions it's still the old key:

https://web.archive.org/web/20230117135535/https://www.spotify.com/de/download/linux/

It links to:

https://web.archive.org/web/20230117135846/https://download.spotify.com/debian/pubkey_5E3C45D7B312C643.gpg

Following the install instructions with apt currently prints errors too:

root@33d8a1a48a32:/# apt update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Hit:2 http://deb.debian.org/debian-security bullseye-security InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Get:4 http://repository.spotify.com stable InRelease [3316 B]
Err:4 http://repository.spotify.com stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F
Reading package lists... Done
W: GPG error: http://repository.spotify.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F
E: The repository 'http://repository.spotify.com stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
root@33d8a1a48a32:/#

Steps to reproduce:

% docker run -i --rm debian:bullseye <<EOF
apt update
apt install -y curl gnupg
curl -sS https://download.spotify.com/debian/pubkey_5E3C45D7B312C643.gpg | apt-key add -
echo "deb http://repository.spotify.com stable non-free" | tee /etc/apt/sources.list.d/spotify.list
apt update
EOF
kpcyrd commented 1 year ago

Ok it seems the new key is available here:

https://download.spotify.com/debian/pubkey_7A3A762FAFD4A51F.gpg

The old key was about to expire:

/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2021-10-27 [SC] [expires: 2023-01-20]
      F9A2 1197 6ED6 62F0 0E59  361E 5E3C 45D7 B312 C643
uid           [ unknown] Spotify Public Repository Signing Key <tux@spotify.com>

pub   rsa4096 2022-11-14 [SC] [expires: 2024-02-07]
      E274 09F5 1D1B 6633 7F2D  2F41 7A3A 762F AFD4 A51F
uid           [ unknown] Spotify Public Repository Signing Key <tux@spotify.com>
peb-adr commented 1 year ago

Great, thanks for the quick info! Pastable quick fix (as root):

  # gpg key epiring on 2023-01-20 was exchanged
  mv /usr/share/spotify-launcher/keyring.pgp  /usr/share/spotify-launcher/keyring.pgp.old
  wget https://download.spotify.com/debian/pubkey_7A3A762FAFD4A51F.gpg \
    -O /usr/share/spotify-launcher/keyring.pgp
kpcyrd commented 1 year ago

Thanks for reporting this and posting workarounds, I've uploaded a 0.4.2 release with the new key.

The official page has been updated in the meantime and points to the new key:

https://web.archive.org/web/20230117171543/https://www.spotify.com/de/download/linux/